Newsletter March 2018

Following our Newsletter last month, many small business owners will have pencilled in 25 May 2018 as the date when the General Data Protection Regulation (GDPR) comes into force. But it’s also likely they all have the same question: what does GDPR mean for my business and me?

The simple answer is that it means a lot. Any company, big or small, will have to comply with new regulations regarding the secure collection, storage and usage of personal information.

Data is any information which can be used to identify someone, including (but not limited to) their name, address, telephone number, email address, etc.

But the good news is that the GDPR recognises that smaller businesses require different treatment to large or public enterprises.

Let’s start at the beginning with ‘what does GDPR mean’. The two central objectives of GDPR are: 1) give citizens and residents back control of their personal data and 2) simplify the regulatory environment for international business by unifying the regulation within the EU.

Another point to remember is that although the UK has voted to leave the EU, UK business will still have to comply with new regulations if the data they handle is about EU citizens, or has the potential to identify individuals within the EU. What’s more, digital minister Matt Hancock has confirmed that the UK will replace the 1988 Data Protection Act (DPA) with legislation that mirrors the GDPR post-Brexit.

The key stipulations of GDPR are firms of over 250 employees will be aware of their obligations. GDPR will also apply to small businesses under 250 employees if the processing carried out is likely to result in a risk to the rights and freedoms of individuals.

Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.

At each of the stages, the onus is on the person collecting data to ensure that the entire process is compliant.

So what can you do to get a handle on your data? Well, better management of your data has to begin with discovery. GDPR will mean that every piece of personal information held by your business needs to be identified – even if it’s on a mobile device or in the cloud.

When you understand where you’re holding personal data, you’ll then be able to better monitor compliance and the processes involved in dealing with that data.

Preparation will be key, but GDPR compliance will be an ongoing task that will require careful monitoring. Being aware of the new regulations and what they mean for your business is vital. So don’t stick your head in the sand and wait for it to pass. After all, once the GDPR arrives, it’s here to stay and unfortunately as are penalties.